b"\x0cThe U.S. International Trade Commission is an independent, nonpartisan, quasi-judicial federal agency\nthat provides trade expertise to both the legislative and executive branches of government, determines the\nimpact of imports on U.S. industries, and directs actions against certain unfair trade practices, such as\npatent, trademark, and copyright infringement. USITC analysts and economists investigate and publish\nreports on U.S. industries and the global trends that affect them. The agency also maintains and publishes\nthe Harmonized Tariff Schedule of the United States.\n\n\n\n\n                                             Commissioners\n                                        Irving A. Williamson, Chairman\n                                        Daniel R. Pearson\n                                        Shara L. Aranoff\n                                        Dean A. Pinkert\n                                        David S. Johanson\n                                        Meredith M. Broadbent\n\x0c    UNITED STATES INTERNATIONAL TRADE COMMISSION\n                         OFFICE OF INSPECTOR GENERAL\n\n                                 WASHINGTON, DC 20436\n\n\n\n\nJune 24, 2013                                                      IG-LL-008\n\nChairman Williamson:\n\nThis memorandum transmits the Office of Inspector General\xe2\x80\x99s final report, Audit of\nPerimeter Network Security, OIG-AR-13-09. This audit focused on whether the\nCommission\xe2\x80\x99s perimeter defense was effective. In finalizing this report, we analyzed\nmanagement\xe2\x80\x99s comments to our draft report and have included those comments in their\nentirety as Appendix A.\n\nThis audit found that the Commission\xe2\x80\x99s perimeter defense was effective, and it identified\ntwo areas for improvement. This report presents seven recommendations to further secure\nthe Commission\xe2\x80\x99s perimeter.\n\nThank you for the courtesies extended to the auditors during this review.\n\n\n\n\nPhilip M. Heneghan\nInspector General\n\x0c\x0c                               U.S. International Trade Commission\n                                                       Audit Report\n\n                                                    Table of Contents\n\nResults of Audit ............................................................................................. 1\n\nAreas for Improvement ................................................................................ 2\n   Area for Improvement 1: The Commission should implement ongoing scanning to\n   detect vulnerabilities. ...................................................................................................... 2\n\n   Area for Improvement 2: The Commission should remediate current webserver\n   vulnerabilities.................................................................................................................. 3\n\nObjective, Scope and Methodology ............................................................. 4\n\nAppendix A: Management Comments on Draft Report.......................... A\n\n\n\n\nOIG-AR-13-09                                                   -i-\n\x0c\x0c                     U.S. International Trade Commission\n                                     Audit Report\n\n\n                                 Results of Audit\nThe purpose of this audit was to answer the question:\n\n       Is ITCNet's perimeter defense effective?\n\nYes. ITCNet\xe2\x80\x99s perimeter defense is effective.\n\nWe assessed the Commission\xe2\x80\x99s perimeter defense and were unable to gain unauthorized\naccess to the Commission\xe2\x80\x99s systems. The Commission\xe2\x80\x99s perimeter defense continues to\nbe effective.\n\nA penetration test is an attempt to breach a network and gain unauthorized access to its\nresources. In July, 2012, we conducted a penetration test of the ITC network using public\ninformation. Our search for public information on the ITC network servers identified a\nnetwork range of 64 IP addresses known to host ITC services. We used software to detect\nservers and their responding ports, and then we scanned these servers for vulnerabilities.\n\nThe ITC\xe2\x80\x99s computer network has over 500 systems, consisting of servers, desktops,\nlaptops, printers, phones, and network infrastructure devices. Every computer is\nconnected to the network with a unique IP (Internet Protocol) address. For example, a\ndesktop PC on the ITC network might have an address like 192.168.50.40. A typical\nWindows PC could have more than 20 listening ports. Each port serves a specific\nfunction: port 80 is used to request web pages from a webserver; and port 25 is used to\ntransfer email. It would be normal for a network of 500 systems to present 10,000\nresponding ports, all potential targets for attack.\n\nThe Commission\xe2\x80\x99s effective perimeter defense exhibits the following traits:\n\n   x   The Commission\xe2\x80\x99s intrusion detection system effectively prevents port scanning.\n   x   It was not possible to gain unauthorized access to identified services within the\n       scope of the audit.\n   x   The majority of listening services we identified all seemed to be functions\n       necessary for the ITC to conduct business.\n\nIn summary, the ITC network\xe2\x80\x99s perimeter defense effectively prevented our intrusion\nattempts.\n\nAn effective perimeter defense is a significant component of a complete network security\nprogram. An attacker can exploit a network in a number of ways. In general, she can\nattack the network perimeter as we did, or she can bypass the perimeter by tricking a user\ninto letting her in. Means of accomplishing this could be as simple as having a user open\na malicious email or visit an infected website, or by leaving an infected USB drive to be\nfound by an employee near the front door of the building. While the ITC network\xe2\x80\x99s\n\n\nOIG-AR-13-09                               -1-\n\x0c                     U.S. International Trade Commission\n                                     Audit Report\n\n\ncurrent perimeter defense is effective, continuous attention and improvement are required\nto ensure that it remains effective in the future.\n\nOur penetration testing did reveal two potential areas for improvement: the agency should\nimplement ongoing scanning to detect vulnerabilities, and it should remediate current\nwebserver vulnerabilities. These areas for improvement are detailed below.\n\n\n\n                            Areas for Improvement\n\n                            Area for Improvement 1:\n           The Commission should implement ongoing scanning to detect\n                                vulnerabilities.\n\n\nNetworks and their systems evolve over time, either deliberately or by chance. Secure\nsystems installed today will become insecure over time due to newly discovered\nvulnerabilities in their underlying operating system or application software. Furthermore,\nany time changes are made to the existing environment, vulnerabilities can be\ninadvertently introduced. The best means of mediating this risk is through vulnerability\nscanning, on both a periodic basis and on-demand any time a change is made to the\nenvironment.\n\nEven though it is licensed to use software that can perform vulnerability scanning of its\nperimeter, the ITC was not performing this function. The penetration test we performed\nas part of this audit found several potential vulnerabilities. Because previous tests were\nnot performed, it was not known how long these systems had been vulnerable. The longer\nsystems remain vulnerable, the more likely it is that they will be exploited. Regular\ntesting would have identified these vulnerabilities and enabled timely remediation.\n\nIn order to execute the mission of the agency, senior management must remain informed\nof risks to their underlying systems. Regular perimeter scans are a critical source of\ninformation describing risks to an agency\xe2\x80\x99s information systems.\n\nRecommendation 1: Perform scheduled, routine scanning of the perimeter on at least a\nmonthly basis.\n\nRecommendation 2: Perform perimeter scans after new hardware or software is\nintroduced to the ITC perimeter network.\n\n\n\n\nOIG-AR-13-09                               -2-\n\x0c                      U.S. International Trade Commission\n                                       Audit Report\n\n\n\n                           Area for Improvement 2:\n        The Commission should remediate current webserver vulnerabilities.\n\n\nThe penetration test we performed identified several potential vulnerabilities in the\nagency\xe2\x80\x99s webservers. We were unable to exploit them using the tools and methods\nwithin our scope of testing, but a determined attacker could use these vulnerabilities to\nexploit the ITC\xe2\x80\x99s systems.\n\nWe identified three types of potential vulnerabilities affecting four of the agency\xe2\x80\x99s\ninternet-facing servers. One was specific to the type and configuration of vendor\nsoftware, which was an obsolete and vulnerable version of Apache software. An upgrade\nto a newer version of Apache would resolve the first issue.\n\nThe remaining two types of vulnerabilities are specific to the custom software\napplications providing website services. These affect two systems, and are known as\n\xe2\x80\x9cCross-Site Scripting\xe2\x80\x9d and \xe2\x80\x9cSQL Injection\xe2\x80\x9d vulnerabilities.\n\nCross-Site Scripting (XSS) vulnerabilities can be used to redirect users of a website to a\ndifferent website without their knowledge or permission. A recent higher-profile\nexample includes the exploit in November, 2012 of the Yahoo email service, which\nresulted in account breaches and the proliferation of spam.\n\nThe SQL Injection vulnerabilities found indicates that it may be possible for an external\nattacker to change the behavior of the application to directly access or possibly modify\nthe internal ITC database supporting the application. This type of vulnerability is\nfrequently used to modify a once-legitimate website to sell male enhancement drugs,\nembarrassing the owners of the website. Firms that store private data such as passwords\nor credit card numbers are at significant financial risk from these types of attacks.\n\nThe ITC has a responsibility to control access to its data, and to protect users of its public\nwebsites from malicious activity. It is possible to improve security by reconfiguring the\nexisting webservers to remediate the issues found in the perimeter scan.\n\nRecommendation 3: Upgrade vulnerable software to current, secure versions.\n\nRecommendation 4: Upgrade encrypted websites to current standards.\n\nRecommendation 5: Remediate known Cross-Site Scripting vulnerabilities.\n\nRecommendation 6: Remediate known SQL Injection vulnerabilities.\n\nRecommendation 7: Perform routine maintenance to identify and remediate\nvulnerabilities affecting public websites.\n\nOIG-AR-13-09                                 -3-\n\x0c                     U.S. International Trade Commission\n                                     Audit Report\n\n\n\n                    Objective, Scope and Methodology\nObjective:\n       Is the ITC network's perimeter defense effective?\n\nScope:\nThis audit included all externally available wired nodes on the USITC network. The\ndevice list includes but was not limited to all servers, workstations, routers, email\ngateways and firewalls. The access types attempted included login attempts for the\npurposes of information gathering, privilege escalation, and establishment of jumping\npoints to other areas of the USITC network infrastructure.\n\n\nMethodology:\n   1. From an unfiltered IP address, performed unauthenticated network and device\n      discovery using a toolset to include but not limited to Nessus, Wireshark, and\n      other applications within the BackTrack tool suite.\n   2. Reviewed and analyzed protocol encryption types, as applicable.\n   3. Performed automated and manual login attacks using Hydra and/or other tools.\n   4. Attempted to gain shell access using BackTrack tools.\n\n\n\n\nOIG-AR-13-09                              -4-\n\x0c               U.S. International Trade Commission\n                           Appendix A\n\n\n    Appendix A: Management Comments on Draft Report\n\n\n\n\nOIG-AR-13-09                  - A-\n\x0c\x0c\xe2\x80\x9cThacher\xe2\x80\x99s Calculating Instrument\xe2\x80\x9d developed by Edwin Thacher in the late 1870s. It is a cylindrical, rotating slide\nrule able to quickly perform complex mathematical calculations involving roots and powers quickly. The instrument\nwas used by architects, engineers, and actuaries as a measuring device.\n\x0c\x0c"